Hackers Find WordPress Easy Pickings

WordPress -- one of the most widely used tools on the Internet -- is rife with vulnerabilities to hack attacks. The problem lies mainly with the plug-ins. No less than 30 percent of the top 50 WordPress plug-ins were found to have one or more critical flaws, according to a recent study by Checkmarx. The results were shocking, said founder and CTO Maty Siman.

By John P. Mello Jr.
Jun 17, 2013 9:35 AM PT

Adobe Reader and Oracle Java aren't alone in having a bull's eye painted on their code by hackers. WordPress also is becoming a popular target for Internet outlaws.

It's quite a large target, too. About 18 percent of the sites on the Web -- about 60 million of them -- use WordPress.

One reason WordPress is attracting hacker attention is that it's so easy to write plug-ins for it, noted Maty Siman, founder and CTO of
Checkmarx.

There are more than 25,000 plug-ins written for WordPress. "That's good for WordPress, but it has some bad security implications," Siman told TechNewsWorld.

For instance, every week there are at least two advisories on critical security vulnerabilities in a WordPress plug-in.

Hacker's Paradise

Checkmarx is releasing a study Tuesday on vulnerabilities in WordPress plug-ins. The task was daunting, Siman confessed.

Six months ago, the company started scanning just the top 50 WordPress plug-ins.

"Once we limited ourselves to those vulnerabilities, the results were more meaningful -- yet shocking," Siman said. "We found that 30 percent of the top 50 plug-ins were found to be vulnerable to at least one of the vulnerabilities."

With numbers like that, it's no wonder hackers are paying more attention to WordPress.

"They've found it's relatively easy to hack WordPress," Siman observed, "and the benefit of hacking such a website is huge, because once you find a vulnerability, you can hack into millions of websites."

Coalition Targets NSA

Mozilla and more than 60 technology and business organizations announced last week a coalition to prod federal action to address what they see as broad violations of U.S. citizens' privacy rights by the National Security Agency.

The NSA has been exposed by whistleblower Edward Snowden as mounting a massive data fishing expedition through the servers of Google, Facebook, Microsoft and others and daily hoovering all phone calls made on Verizon's phone network.

The high-tech giants all initially denied any willing participation in the NSA's surveillance campaign. However, Facebook, Microsoft and Apple have recently disclosed some information regarding their compliance with government requests.

"This moment is a wake-up for Internet companies -- for established companies like Facebook and Google, but also for startups and folks trying to get into these spaces," he said.

With Great Nets Come Great Responsibility

"They're realizing that storing users' data and creating these vibrant platforms, if successful, become mainstays of people's lives," Levy continued.

"It entails quite a bit of responsibility," he added, "and maybe it's the kind of responsibility that folks like Mark Zuckerberg didn't really expect to have when they started out years ago."

The Mozilla
StopWatching.us coalition is calling on Congress to take the following steps:

Reform federal law to prohibit blanket surveillance of Internet activity and phone records of any person residing in the United States, and to require that violations of that prohibition be reviewed in adversarial proceedings before a public court;

Create a special committee to investigate, report, and reveal to the public the extent of domestic spying, and to make specific recommendations for legal and regulatory reform to end unconstitutional surveillance; and

Hold accountable those public officials who are found to be responsible for unconstitutional surveillance.

Trojan Spreads via Bluetooth

Some Android malware that includes Bluetooth in its propagation toolbox was discovered by Kaspersky Lab last week.

The malware -- dubbed "Backdoor.AndroidOS.Obad.a," is a multifunction Trojan that can send SMS messages to premium rate numbers and download malware to a phone.

"We've never seen this before -- but it's unlikely that this technique would become common and widespread," he added.

"Besides the fact that Obad can operate as a classic backdoor, it's as sophisticated as many other types of malware for Windows," noted Maslennikov. "Growing complexity of mobile malware is becoming a new trend today, and we expect to see more sophisticated threats in the near future."

Data Breach Diary

June 10. Invincea discovers link from The Drudge Report leads to a Washington Free Beacon story that contains malware infecting anyone who landed on the page.

June 11. Kaspersky Lab identifies Chinese-government-linked hacker group it calls "Red Star APT." Made up of about 50 people and active since 2004 or 2005, the group is responsible for 350 high-profile attacks, according to Kaspersky. Victims include government agencies, embassies, universities, defense contractors, and oil companies in 40 countries.

June 12. Protiviti releases annual Security and Privacy survey that shows
two-thirds (68 percent) of respondents said they had elevated their focus on information security in response to recent press coverage of so-called "cyberwarfare." However, when asked if their organizations had a formal and documented crisis-response plan for use following a data breach or hacking incident, more than one-third reported that either their organizations did not (21 percent) or that they did not know (13 percent).

June 14. Identity protection firm CSID releases survey finding that only 12 percent of small businesses have a data breach preparedness plan. Researchers also find that 55 percent of the small businesses in the survey store Social Security numbers; 80 percent, email addresses; and 70 percent phone numbers and home addresses of employees, customers and partners.